Description
- You want to download the Kubeconfig via API or CLI
- Note: There are two types of Kubeconfig
k8s API Server points to | Available for | Note | When to use? | |
Global Kubeconfig | F5XC Console | vk8s, App Stack site | Useful when you don't have direct access to CE in your network. The kubectl request will be handled by a service in GC, then forward to your CE kube-apiserver. | Eg: You k8s cluster is in cooperate network not reachable from your home. By using global kubeconfig, you can access to k8s cluster without VPN. |
Local Kubeconfig | Local CE site IP | App Stack site | You network need to be able to access CE node directly. Also you need to update DNS to resolve api-server domain. | Eg: You can disable global access and only allow local to meet cooperate security requirement |
Environment
- F5® Distributed Cloud App Stack site (=Managed k8s)
- Local Kubeconfig
- Global Kubeconfig
Procedure
F5® Distributed Cloud App Stack site
API
- Local Kubeconfig:
- Use the following request by replacing it with the appropriate values - refer to API Building a Request documentation for more details
-
Tenant: volt-test Site-name: test-site APIToken: yourtokenxyz
curl --location --request POST 'https://volt-test.console.ves.volterra.io/api/config/namespaces/system/sites/test-site/local-kubeconfig' \
--header 'Authorization: APIToken yourtokenxyz' \
--header 'Access-Control-Allow-Origin: *' \
--header 'x-volterra-apigw-tenant: volt-test'
- Global Kubeconfig:
- Please note the API path is different and you will need to add expiration timestamp
-
Tenant: volt-test Site-name: test-site APIToken: yourtokenxyz Expiretime: Check below
curl --location --request POST 'https://volt-test.console.ves.volterra.io/api/web/namespaces/system/sites/test-site/global-kubeconfigs' \
--header 'Authorization: APIToken yourtokenxyz' \
--header 'Access-Control-Allow-Origin: *' \
--header 'x-volterra-apigw-tenant: volt-test'\
--data-raw '{"expirationTimestamp":"2021-09-14T09:02:25.547659194Z"}'
- Global Kubeconfig for vk8s
- vk8s only have global kubeconfig, it is issued as a apicredential
- Tenant: volt-test Site-name: test-site APIToken: yourtokenxyz Expiretime: Check below Namespace: shali-ns1
-
curl --location --request POST 'https://volt-test.console.ves.volterra.io/api/web/namespaces/shali-ns1/api_credentials' \ --header 'Authorization: APIToken yourtokenxyz=' \ --data-raw '{"name":"shali-ns1-vk8s","namespaces":"system","expiration_days":97,"spec":{"type":"KUBE_CONFIG","users":[],"password":null,"virtual_k8s_name":"shali-ns1-vk8s","virtual_k8s_namespace":"shali-ns1"}}'
VESCTL
- Local Kubeconfig
-
vesctl request rpc site.ConfigKubeConfigAPI.CreateLocalKubeConfig --http-method POST --uri /config/namespaces/system/sites/test-site/local-kubeconfig --json-data '{}' --timeout 30
-
- Global Kubeconfig
-
vesctl request rpc site.UamKubeConfigAPI.CreateGlobalKubeConfig --http-method POST --uri '/web/namespaces/system/sites/test-site/global-kubeconfigs' --json-data '{"expirationTimestamp":"2021-09-14T09:02:25.547659194Z"}' --timeout 30
-
- The returned "data: " field is base64 encoded text so use " | base64 --decode" to get the Kubeconfig
- With the --json-data option you should be able to put timestamp and get global Kubeconfig